Exploit
CVE-2023-33009

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)

Published: May 24, 2023 / Updated: 18mo ago

010
CVSS 9.8EPSS 2.24%Critical
CVE info copied to clipboard

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-33009. See article

May 24, 2023 at 12:30 PM / cve.report
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Jun 5, 2023 at 11:00 AM / CISA Known Exploited Vulnerability
Threat Intelligence Report

CVE-2023-33009 is a critical buffer overflow vulnerability affecting Zyxel firewalls, listed in the CISA Known Exploited Vulnerabilities catalog. This vulnerability can be exploited by attackers without authentication, leading to denial-of-service attacks and remote code execution. Organizations should prioritize patching and follow Zyxel's guidance to mitigate the risk of exploitation and potential downstream impacts on third-party vendors. See article

Jun 13, 2023 at 9:23 AM
EPSS

EPSS Score was set to: 2.24% (Percentile: 88.2%)

Sep 16, 2023 at 9:13 AM
Exploitation in the Wild

Attacks in the wild have been reported by Risky Business News. See article

Nov 15, 2023 at 5:33 AM / Risky Business News
Exploitation in the Wild

Attacks in the wild have been reported by Black Hat Ethical Hacking. See article

Nov 16, 2023 at 9:18 AM / Black Hat Ethical Hacking
Attribution of Exploits

The vulnerability is known to be exploited by Sandworm. See article

Nov 16, 2023 at 2:01 PM / Infosecurity
Exploitation in the Wild

Attacks in the wild have been reported by Infosecurity Magazine. See article

Nov 21, 2023 at 9:47 AM / Infosecurity Magazine
Exploitation in the Wild

Attacks in the wild have been reported by Mondaq News Alerts. See article

Nov 22, 2023 at 6:49 AM / Mondaq News Alerts
Static CVE Timeline Graph

Affected Systems

Zyxel/usg_flex_50_firmware
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

www.zyxel.com
+null more

Links to Malware Families

Mirai
+null more

Links to Threat Actors

Sandworm
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

Protect Network: Critical Vulnerabilities in Zyxel Firewall and VPN Devices
However, additionally employing security testing, including vulnerability scanning and penetration testing, can help identify and address potential buffer overflow issues. Firmware versions ZLD V4.25 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2) for Zyxel USG FLEX50(W) and USG20(W)-VPN
Zyxel security advisory for multiple buffer overflow vulnerabilities of firewalls | Zyxel Networks
A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device.
The attack against Danish, critical infrastructure [pdf]
to detect cyber attacks against Danish critical infrastructure. Without SektorCERT?s sensor network to detect the attacks, our skille\
See 6 more references

News

Breaking the Mold: Halting a Hacker’s Code ep. 19 – RCE CVEs 2023
There are several prevention and mitigation strategies that can help to protect against remote code execution (RCE) attacks: Once successfully exploited, an attacker could take full control of an affected system, including but not limited to installing malware, stealing sensitive data, tampering with or deleting files, creating new accounts, and performing other unauthorized operations.
Top 10 RCE Vulnerabilities Exploited in 2023
The successful exploitation of CVE-2023-0669 grants malicious actors the ability to execute code remotely; initial signs of suspicious activity related to this zero-day vulnerability were detected on January 18, 2023, while it was officially disclosed by Fortra on February 1, 2023. In this article, we will explore the top vulnerabilities that fueled RCE exploits during the year of 2023, dissecting the targets chosen by threat actors and the specific weaknesses they scrutinized and exploited to achieve remote control over systems and networks.
Top 10 RCE Vulnerabilities Exploited in 2023
The successful exploitation of CVE-2023-0669 grants malicious actors the ability to execute code remotely; initial signs of suspicious activity related to this zero-day vulnerability were detected on January 18, 2023, while it was officially disclosed by Fortra on February 1, 2023. In this article, we will explore the top vulnerabilities that fueled RCE exploits during the year of 2023, dissecting the targets chosen by threat actors and the specific weaknesses they scrutinized and exploited to achieve remote control over systems and networks.
Open-Source Detector of CISA's Known Exploitable Vulnerabilities
ostorlab scan run --install -g agent_group.yaml domain-name www.example.com ostorlab scan run --install -g agent_group.yaml domain-name example.com
SPY NEWS: 2024 — Week 2
SPY NEWS: 2024 — Week 2 Summary of the espionage-related news stories for the Week 2 (January 7–13) of 2024. The Spy Collection · Follow 80 min read · Just now -- 1. Tradecraft Sunday: Episode 7: Disruptive Action On January 7th we published our 7th episode of this series . As per its description, “Disruptive Action refers to a type of intelligence special operation where a group of people is dismantled through covert means, with no direct attribution to the spy agency conducting this activity. In this episode we briefly present this intelligence activity.” 2. United Kingdom: Christine Granville:
See 263 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI